当前位置：网站首页>Gin security -3: fast implementation of CSRF verification

Gin security -3: fast implementation of CSRF verification

2022-06-23 21:06:00 【Trespass 】

Introduce

How does this article describe rk-boot Implement the server CSRF Verification logic .

What is? CSRF？
Cross-site request forgery （ English ：Cross-site request forgery）, Also known as one-click attack perhaps session riding, Commonly abbreviated as CSRF perhaps XSRF, It is a kind of coercion that users are currently logged in Web An attack method that performs unintended operations on an application .
With cross site scripting （XSS） comparison ,XSS Using the user's trust in the designated website ,CSRF Using the trust of the website to the user's web browser .

image

** What do you have
What defense methods are there ？
There are several popular defense methods , We use examples to realize 【 Add validation Token】 Defense .
1: Token synchronization mode 2： Check Referer Field 3： Add validation Token

Please visit the following address for a complete tutorial ：

https://rkdocs.netlify.app/cn

install

go get github.com/rookie-ninja/rk-boot/gin

Quick start

1. establish boot.yaml

boot.yaml The file will tell rk-boot How to start Gin service .

In the following YAML In file , We made a statement ：

Turn on CSRF Interceptor , Using default parameters . The interceptor will check the request Header in X-CSRF-Token Value , Judge Token Whether it is right .

---
gin:
  - name: greeter                     # Required
    port: 8080                        # Required
    enabled: true                     # Required
    interceptors:
      csrf:
        enabled: true                 # Optional, default: false

2. establish main.go

We are Gin Add two Restful API.

GET /v1/greeter: Returns the generated by the server CSRF Token
POST /v1/greeter: verification CSRF Token

// Copyright (c) 2021 rookie-ninja
//
// Use of this source code is governed by an Apache-style
// license that can be found in the LICENSE file.
package main

import (
	"context"
	"github.com/gin-gonic/gin"
	"github.com/rookie-ninja/rk-boot"
	"github.com/rookie-ninja/rk-boot/gin"
	"net/http"
)

// Application entrance.
func main() {
	// Create a new boot instance.
	boot := rkboot.NewBoot()

	ginEntry := rkbootgin.GetGinEntry("greeter")
	// Register /v1/greeter GET
	ginEntry.Router.GET("/v1/greeter", func(ctx *gin.Context) {
		ctx.JSON(http.StatusOK, "Hello!")
	})
	// Register /v1/greeter POST
	ginEntry.Router.POST("/v1/greeter", func(ctx *gin.Context) {
		ctx.JSON(http.StatusOK, "Hello!")
	})

	// Bootstrap
	boot.Bootstrap(context.Background())

	// Wait for shutdown sig
	boot.WaitForShutdownSig(context.Background())
}

3. Folder structure

.
├── boot.yaml
├── go.mod
├── go.sum
└── main.go

0 directories, 4 files

go.mod

module github.com/rookie-ninja/rk-demo

go 1.16

require (
	github.com/rookie-ninja/rk-boot v1.4.0
	github.com/rookie-ninja/rk-boot/gin v1.2.12
)

4. verification

send out GET Ask to /v1/greeter, We will get CSRF Token.

$ curl -X GET -vs localhost:8080/v1/greeter
...
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< Set-Cookie: _csrf=XVlBzgbaiCMRAjWwhTHctcuAxhxKQFDa; Expires=Mon, 27 Dec 2021 09:35:20 GMT
< Vary: Cookie
< Date: Sun, 26 Dec 2021 09:35:20 GMT
< Content-Length: 8
< 
* Connection #0 to host localhost left intact
"Hello!"*

send out POST Ask to /v1/greeter, Provide legal CSRF Token.

$ curl -X POST -v --cookie "_csrf=my-test-csrf-token" -H "X-CSRF-Token:my-test-csrf-token" localhost:8080/v1/greeter
...
> Cookie: _csrf=my-test-csrf-token
> X-CSRF-Token:my-test-csrf-token
> 
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< Set-Cookie: _csrf=my-test-csrf-token; Expires=Mon, 27 Dec 2021 09:35:43 GMT
< Vary: Cookie
< Date: Sun, 26 Dec 2021 09:35:43 GMT
< Content-Length: 8
< 
* Connection #0 to host localhost left intact
"Hello!"*

send out POST Ask to /v1/greeter, Illegal provision CSRF Token.

$ curl -X POST -v -H "X-CSRF-Token:my-test-csrf-token" localhost:8080/v1/greeter
...
> X-CSRF-Token:my-test-csrf-token
> 
< HTTP/1.1 403 Forbidden
< Content-Type: application/json; charset=utf-8
< Date: Sun, 26 Dec 2021 09:36:18 GMT
< Content-Length: 91
< 
* Connection #0 to host localhost left intact
{"error":{"code":403,"status":"Forbidden","message":"invalid csrf token","details":[null]}}

CSRF Interceptor options

rk-boot A number of CSRF Interceptor options , Unless there is a special need , The override option is not recommended .

Options	describe	type	The default value is
gin.interceptors.csrf.enabled	start-up CSRF Interceptor	boolean	false
gin.interceptors.csrf.tokenLength	Token length	int	32
gin.interceptors.csrf.tokenLookup	Where to get Token, Please refer to the following introduction	string	“header:X-CSRF-Token”
gin.interceptors.csrf.cookieName	Cookie name	string	_csrf
gin.interceptors.csrf.cookieDomain	Cookie domain	string	""
gin.interceptors.csrf.cookiePath	Cookie path	string	""
gin.interceptors.csrf.cookieMaxAge	Cookie MaxAge（ second ）	int	86400 (24 Hours )
gin.interceptors.csrf.cookieHttpOnly	Cookie HTTP Only Options	bool	false
gin.interceptors.csrf.cookieSameSite	Cookie SameSite Options , Support lax, strict, none, default	string	"lax"
gin.interceptors.csrf.ignorePrefix	Ignore CSRF Verified Restful API Path	[]string	[]

tokenLookup Format

At present, the following three methods are supported , The interceptor will use one of the following methods , Look for... In the request Token.

from HTTP Header In order to get
from HTTP Form In order to get
from HTTP Query In order to get

// Optional. Default value "header:X-CSRF-Token".
// Possible values:
// - "header:<name>"
// - "form:<name>"
// - "query:<name>"
// Optional. Default value "header:X-CSRF-Token".

原网站

版权声明
本文为[Trespass ]所创，转载请带上原文链接，感谢
https://yzsam.com/2021/12/202112261851068450.html